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Refering to the rule shown on the MARS GUI screen, which two of the following 
statements are correct?(Choose two.) 


Rula Name: System Mule: Backdoor: Conaect OubUS04.1 5/01 10049 Stotus: Acton 
Action Mone Tima Range: "on sr 
Desorption: HA y X gayn 


(Ottfent]Opee q [Source iP 
arr 


A. This rule will fire if the offset 1 condition occurs "OR" if the offset 2 condition occurs. 
B. This rule will fire if the offset 3 condition occurs. 

C. The expressions between cells are "AND' while the expressions between items in the 
same cell are "OR". 

D. This is a user-defined rule. 

E. This rule can be deleted after changing its status to "inactive." 


Answer: B, C 


QUESTION: 42 
Referring to the System Inspection Rule shown on the MARS GUI screen, which one of the 
following statements is correct? 


Inspection Rules: 


Change Stotus View: Inactive w 


v Rule Nome: System Rule: Client Exploit Mass Malling Warm 
Action: None 
Dascription: Ths s ure daterte eccexsive amourt of enal (at least 2i/min) from a'single host. To sharpen this mie for pen: server hosts, create a group a 


y an exception by éxciuding these hosts in the sa 
eerst EES BESSER 

Offsetjüpen ( Source IP | Destination Ss Name 
| 


sece of this rule 

Event Device Keperted|Eeyword |Severity|Count| ) Close Operation 
EE ESS 

AN any Nore a, ANY ro 


A. Click on "Add" to activate the rule. 

B. Click on "Activate" to activate the rule. 

C. Click on "Change Status" to activate the rule. 

D. Click on "Edit." Then you can apply and activate the rule. 
E. Click on "Duplicate" to archive the rule to a remote NAS. 


Answer: C 


QUESTION: 43 
Referring to the diagram shown on the MARS GUI screen, why is the Push function not 
enabled (grayed out)? 


Enforcement Device: HO-EW- UE), Alternate 
Default gateway: 172,30,11 


Enforcement Device Information 


[Device Trype [Manager [Children Log To [Collects From 
HO-Fw tel sco PIX 6.2 PN-MARS on demos PH-MARS on demos 


Interface Information 


Direction Tie Address [interface Name Jons Name Mat Address [Mac Update Time 
Inbound 2 10.2 nside None / not found N/A N/A 
utbound 192.168.1.1 DMZ-slot:1 None / not found N/A N/A 


Recommended Policies /Commands 


© ‘access-list inside-aci 
deny tcp hoot 10.1,1.10 host 192.169,1.10 eq 21 


Or 


“access-list inaide-aci 
deny tcp host 10.1.1.10 any 


Or 


shun 10.1.1.10 192.165.1.10 4002 21 tcp 


A. Because the HQ-FW-1 device is the alternate choke point for mitigating this attack. 
B. Because MARS cannot push commands to Layer 3 devices. 

C. Because the Incident has not been confirmed by the administrator. 

D. Because the Incident is a false positive. 

E. Because MARS is operating at level 2 and not at level 3. 

F. Because the selected mitigation command is not supported on the HQ-FW-1 device. 


Answer: B 
QUESTION: 44 


Which three of the following reporting devices can be added to the MARS appliance using 
the "Add SW security apps on new host?" (Choose three.) 
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Device Type: | cisco ASA 7.0 


---HW hased security devices--- 
Cisco ASA 74 

Cisco IDS 3.1 

Cisco IDS 4,0 

pe A 10S 12.2 


Cisco PIX e, 
Cisco PIX 7.0 
Cisco Switch-CatOS ANY 


Cisco Switch-I1OS 12.2 

Cisco VPN Concentrator 4.x 

ClassAp 1.2 2.2 

Extreme ExtremeWare 6.x 

Generic Router version unknown 
NetScreen ScreendS 4.0 

NetScreen SoreenOsS 5; 0 


Community: 


> Monitor NO "wi 
Resource z 


A. Cisco ACS 

B. Netflow 

C. SNORT 

D. FWSM 

E. Generic web server. 


Answer: A, C, E 
QUESTION: 45 


After manually adding the BR-FW-1 device shown in the MARS GUI screen, what 
additional steps do you need to perform? 


Note: 
1, Enter the reporting IP (the IP address where events originated from) to ensure that the system processes the events. 
2. * is denotes a required field. 


Device Type: Cisco PIX 6.1 


> “Device Name: 
> *Access IP: Toon nh le) 
+ steve: ` (IF) 
> "Access Type: Feed 


Enable Passwort: ` M] 
Config Path: 
Ple name: 

SNMP RO Community: [ied 1 


A. Click "Activate" to enable the device. 
B. Click "Submit" to enable the device. 
C. Click "Submit" to test access to the device. When access is successful, click "Activate" to 


activate the device. 

D. Click "Activate" to activate the device, then click "Submit" to save the device 
configuration. 

E. Click "Discover' to initiate manual discovery. When discovery is completed, click 
"Submit," then "Activate." 


Answer: E 


QUESTION: 46 
Referring to the incident Vector Graph shown on the MARS GUI screen, which three of the 


following statements are correct? (Choose three.) 


Aug 17, 2005-5:18:51 PM COT | 


Standalone: demos v3.4 Login: sales, usa (usasales) :: | Close 


Session ID: 
$:247161812 


Src: 46,.40.1.23/2500 


Dest: 192.168.1.10/80 6-1939 
Event Types 
g: ` 
www IIS ida Indexing (el 
Service Overflow HQ- watag 


A. The port being attacked is port 80. 

B. This incident has two associated Event Types. 

C. You can mitigate this attack by clicking on the device being attacked. 

D. The device being attacked is the Tivoli Server. 

E. Click the Previous button to view any other Sessions related to this incident. 


Answer: A, B, E 


QUESTION: 47 
Referring to the Rule shown on the MARS GUI screen, what is used to determine that three 
is a sudden traffic increase to a particular port, and which type of attack is this Rule useful 


for detecting? (Choose two.) 
Rule Name: _ System Rule: Sudden Traffic Increase To Port 


Action: None 

Description: This rule detects scans statistically significant increase in traffic to a particular part, 
lOffset{Open(|Source IP|Destination IP [Service Name [Events Devicl’ 
1 ANY ANY ANY Sudden increase of traffic ta a port ANY d 


A. Ral-time queries 

B. CSA logs 

C. Netflow data 

D. Smp polling 

E. Dy-zero attacks 

F. Acess attacks 

G. Reconnaissance attacks 
H. Denial of service attacks. 


Answer: C, E 
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QUESTION: 48 
To configure the MARS appliance to send out an alert when the system rule fires, what 
should you do from the MARS GUI screen shown? 


Vv Rule Name: System Rule: Network Activity: Windows Popup Spam 
Action: None 
Description: This corrslation detects excessive traffic (likely pop up spam} from the same source to the Windows Me 
$TARGETOL, ANY MSMessengerService_UDP (src port: ANY, ANY 
ANY dst port: 026-1029, proto; UDP} 


| Edit | Change Status 


A. Click on "Active" in the "Status" field, select the appropriate alerts, then apply. 

B. Click on "None" in the "Action" field, select the appropriate alerts, then apply. 

C. Click "Edit" to edit the "Operation" field of the rule, select the appropriate alert option(s), 
then apply. 

D. Click "Edit" to edit the "Event" field of the rule, select the appropriate alert option(s), 
then apply. 

E. Click "Edit" to edit the "Reported User" field of the rule, select the appropriate alert 
option(s), then apply. 


Answer: B 
QUESTION: 49 


Referring to the incident shown on the MARS GUI screen, which two of the following 
statements are correct? (Choose two.) 


Rule Name: Nimda Rule 
Action: None 
Description: Rule to cepturs Nimda virus 


Offset! Open { |Source IP| Destination IP Service Name Event 
1 ANY ANY ANY Penetrate/Nimdaworm ANY None 


Incident ID: 227269400 EIR 
Keier Session / Incident |Event Type Source IP /Port Destination IP/Port|Protocol|Time 
ID 
1 $:236785492, NS DOT DOT EXECUTE[J ÆA, ` 10.1.5.2 [a) 2010 [c] 10.10.1.243 [a) 80 [a] TCP [a] Aug S, 2005 
1:227269%45957, HS Dot Dot Crasha), 
1:22726946067 WWW WinNT cmd.exe Exacii/A 
1 HS CGI Double Decode dl. Groups: 4 
WWW IIS Unicode Directory Total: 5 
traversal|a 


HS DOT DOT ExecuTe[a], 
11S Dot Cot crash[d), 
WWW WinNT cmd.exe Exec(a} 


A. This is a low-severity incident. 
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B. This is a false positive incident. 

C. There are multiple events that correlate to the 236785492 session. 

D. The 236785492 session is related to both the 227269459 and the 227269460 Incidents. 
E. The Nimda rule triggered both the 227269459 and the 227269460 Incidents. 


Answer: C, D 
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